Question 1

Which two characters can be used when writing a policy to reflect a wildcard or path segment? (Select two)

Accepted Answer

C, F

Explanation: Comprehensive and Detailed in Depth Vault policies use specific characters for wildcards and path segments. The HashiCorp Vault documentation states: "The plus sign (+) can be used to denote a path segment and can be used in the middle of a path. The splat (*) can be used as a wildcard but can only be used at the very end of a path." These are the only characters designated for such purposes in policy syntax. The docs add: "For example, secret/data/* matches all paths under secret/data/, while secret/+/foo matches a single segment like secret/bar/foo." &, @, $, and # have no special meaning in Vault policies. Thus, C (*) and F (+) are correct. Reference: HashiCorp Vault Documentation - Policies: Policy Syntax

Question 2

You have multiple Vault clusters in your environment, one for test and one for production. You have
the CLI installed on your local machine and need to target the production cluster to make
configuration changes. What environment variable can you set to target the production cluster?

Accepted Answer

C

Explanation: Comprehensive and Detailed In-Depth The VAULT_ADDR variable specifies the target Vault server. The Vault documentation states: "VAULT_ADDR is the environment variable that is used to specify the address of the Vault server expressed as a URL and port, for example: https://vault.bryankrausen.com:8200/. You can easily modify the value of the environment variable whenever you want to target a different Vault node/cluster." — Vault Environment Variables C: Correct. Sets the production cluster address: "Setting the VAULT_ADDR environment variable allows you to specify the address of the Vault server you want to target." — Vault Environment Variables A, B, D: Incorrect; unrelated to CLI targeting. Reference: Vault Environment Variables

Question 3

Short-lived, dynamically generated secrets provide organizations with many benefits. Select the benefits from the options below. (Select four)

Accepted Answer

A, B, C, D

Explanation: Comprehensive and Detailed In-Depth Dynamic secrets in Vault are generated on-demand and have short lifespans, offering significant security and operational benefits: A. Unique Credentials per Instance: "Each application instance can generate its own credentials" isolates access, reducing the blast radius of a compromise. The documentation highlights: "This improves security by isolating access." B. On-Demand Existence: "Credentials only exist when needed" minimizes exposure time. Vault’s design ensures "dynamic secrets do not exist until they are read," reducing theft risk. C. Least Privilege Enforcement: "Applications only have access to privileged accounts when needed" aligns with security best practices. "This helps enforce the principle of least privilege," per the docs. D. Invalidation of Leaked Credentials: "Credentials accidentally checked into a code repo or discovered in a text file are likely to be invalid" due to their short lifespan and revocation. "Dynamic secrets can be revoked immediately after use." Incorrect Option: E. Static Nature Misconception: "Dynamic credentials do not change" is false. The documentation counters: "Dynamic secrets change," enhancing security, but this may challenge legacy apps, not ease their use. These benefits collectively enhance security by limiting credential exposure and scope. Reference: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamicsecrets

Question 4

When Vault is sealed, which are the only two operations available to a Vault administrator? (Select two)

Accepted Answer

A, E

Explanation: Comprehensive and Detailed in Depth When Vault is sealed, its functionality is severely restricted to protect encrypted data. The HashiCorp Vault documentation states: "While Vault is sealed, the only two options available are viewing the vault status (vault status) and unsealing Vault (vault operator unseal). All the other actions require Vault to be unsealed and the user to be authenticated." This limitation ensures that no operations can access or modify data until the Vault is unsealed, enhancing security. The documentation under "Shamir Seals" further elaborates: "When Vault is sealed, it knows where its encrypted data is stored but cannot decrypt it because the master key is not in memory. The only available operations are checking the seal status and initiating the unseal process." Thus: A (View the status of Vault): The vault status command works when sealed, providing details like seal state. E (Unseal Vault): The vault operator unseal command allows administrators to begin unsealing. Options like configure policies (B), view data in the key/value store (C), rotate the encryption key (D), and author security policies (F) require an unsealed Vault and authentication, making A and E the correct selections. Reference: HashiCorp Vault Documentation - Seal Concepts: Shamir Seals HashiCorp Vault Documentation - Vault Status Command

Question 5

Without logging into another interface, what feature can Chad use to execute a simple CLI command to enable a new secrets engine? https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Hahicorp_HCVA0-003/page_65_img_1.jpg

Accepted Answer

A

Explanation: Comprehensive and Detailed in Depth The Vault UI includes a feature allowing CLI commands to be executed directly within the interface, known as the CLI emulation or REPL (Read-Eval-Print Loop) terminal. The HashiCorp Vault documentation states: "The Vault GUI includes an advanced mode that uses a read–eval–print loop (REPL) terminal to mimic basic create/read/update/delete/list (CRUDL) commands for users who are more familiar with the Vault CLI than the GUI." This feature enables Chad to run a command like vault secrets enable without switching to a separate CLI, fulfilling the requirement. The documentation under "Explore the Vault UI" adds: "This terminal allows users to execute Vault CLI commands directly from the web interface, enhancing usability for those accustomed to CLI workflows." Options like user information (B), client count details (C), and access management (D) do not provide CLI execution capabilities. Thus, A is correct. Reference: HashiCorp Vault Documentation - Getting Started UI: Explore the Vault UI

Question 6

What is the default method of authentication after first initializing Vault?

Accepted Answer

D

Explanation: Comprehensive and Detailed in Depth After initializing Vault, the default authentication method is Tokens, specifically the root token. The HashiCorp Vault documentation states: "After initializing, Vault provides the user the root token, which is the only way to log in to Vault in order to configure additional auth methods." This root token is generated during initialization and serves as the initial means of authentication until other methods are configured. The documentation further explains under the "Token Authentication" section: "Tokens are the core method for authentication within Vault. Upon initialization, a root token is created which can be used to configure Vault further." TLS certificates, GitHub, AppRole, and Userpass require additional setup, and there’s no default Admin account method. Thus, D (Tokens) is correct. Reference: HashiCorp Vault Documentation - Token Authentication

Question 7

Which two interfaces automatically assume the token for subsequent requests after successfully authenticating? (Select two)

Accepted Answer

A, C

Explanation: Comprehensive and Detailed in Depth After successful authentication, the CLI and UI interfaces in Vault automatically assume the token for subsequent requests, simplifying user interaction. The HashiCorp Vault documentation states: "After authenticating, the UI and CLI automatically assume the token for all subsequent requests. The API, however, requires the user to extract the token from the server response after authenticating in order to send with subsequent requests." This is facilitated by Vault’s token helper mechanism for CLI and session management in the UI. The documentation under "Token Helper" explains: "The Vault CLI uses a token helper to store the token locally after login (e.g., vault login), and future commands automatically use this token without requiring it to be specified each time." Similarly, the UI stores the token in the browser session post- login. In contrast, the API requires explicit inclusion of the token in each request header (e.g., X- Vault-Token), making manual token management necessary. Thus, A (CLI) and C (UI) are correct. Reference: HashiCorp Vault Documentation - Commands: Token Helper

Question 8

You need to connect to and manage a new HCP Vault cluster using the Vault CLI on your laptop. What environment variables should you set to establish connectivity?

Accepted Answer

C

Explanation: Comprehensive and Detailed in Depth To connect to an HCP Vault cluster using the Vault CLI, you need to set VAULT_ADDR and VAULT_NAMESPACE. The HashiCorp Vault documentation states: "You can use environment variables to configure the CLI globally. For example, export VAULT_ADDR='http://localhost:8200' sets the address of your Vault server globally." For HCP Vault, the default port is 8200, and the default namespace is "admin," so VAULT_ADDR=https:// :8200 and VAULT_NAMESPACE=admin are required. A token (via VAULT_TOKEN) is also needed for authentication but is typically set after initial connectivity. VAULT_CLIENT_KEY isn’t a standard variable for CLI connectivity. VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR are not used for this purpose. Thus, C provides the correct variables. Reference: HashiCorp Vault Documentation - CLI Environment Variables

Question 9

During a service outage, you must ensure all current tokens and leases are copied to another Vault cluster for failover so applications don’t need to authenticate. How can you accomplish this?

Accepted Answer

C

Explanation: Comprehensive and Detailed in Depth A: Insecure and manual; not a Vault feature. Incorrect. B: Auto-auth doesn’t replicate tokens/leases. Incorrect. C: DR replication mirrors tokens and leases; promotion enables failover. Correct. D: Performance replication doesn’t replicate tokens fully. Incorrect. Overall Explanation from Vault Docs: “Disaster Recovery replication mirrors tokens and leases… Promote the secondary during an outage.” Reference: https://developer.hashicorp.com/vault/docs/enterprise/replication#replicated-data

Question 10

Christy has created a token and needs to use that token to access Vault. What command can she use
to authenticate and access secrets stored in Vault?
$ vault token create -policy=christy
Key
Value
---
-----
token
hvs.hxDIPd8RPVtxu4AzSGS1lArP
token_accessor
AxwxpDs6LbdFQbWGmBDnwIK3
token_duration
24h
token_renewable
true
token_policies
["christy" "default"]
identity_policies
[]
policies
["christy" "default"]

Accepted Answer

A

Explanation: Comprehensive and Detailed in Depth To authenticate with a specific token, Christy should use the vault login command with the token value. The HashiCorp Vault documentation states: "To login with a token, you can use vault login or even vault login -method=token if you like typing more." For the given token hvs.hxDIPd8RPVtxu4AzSGS1lArP, the command vault login hvs.hxDIPd8RPVtxu4AzSGS1lArP authenticates Christy and stores the token for subsequent CLI use. The docs provide an example: "``` $ vault login s.sf4vj1rFV5PvQSbrxQFsfbXA Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run ‘vault login’ again. Future Vault requests will automatically use this token. Key Value token s.sf4vj1rFV5PvQSbrxQFsfbXA

Question 11

You are using Azure Key Vault for the auto-unseal configuration on your cluster. After the Vault service restarts, what command must you run to unseal Vault?

Accepted Answer

A

Explanation: Comprehensive and Detailed in Depth When using Azure Key Vault for auto-unseal, no manual command is required to unseal Vault after a service restart. The HashiCorp Vault documentation states: "Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, AWS KMS, Azure Key Vault, Google Cloud KMS, and OCI KMS. This feature enables operators to delegate the unsealing process to trusted cloud providers to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters." Specifically, for Azure Key Vault, "the auto-unseal feature automatically handles the unsealing process," eliminating the need for manual intervention. The documentation further explains: "When configured with auto-unseal, Vault will automatically unseal itself upon startup using the configured key management service, provided the necessary permissions and credentials are in place." Options like vault operator unseal are for manual unsealing, vault operator members lists cluster members, and vault operator init initializes Vault— none apply to auto-unseal scenarios. Thus, A is correct. Reference: HashiCorp Vault Documentation - Auto Unseal with Azure Key Vault HashiCorp Vault Documentation - Seal Concepts: Auto Unseal

Question 12

You have a long-running app that cannot handle a regeneration of a token or secret. What type of token should be created for this application in order to authenticate and interact with Vault?

Accepted Answer

B

Explanation: Comprehensive and Detailed in Depth For a long-running application that cannot handle token or secret regeneration, the Periodic Service Token is the most suitable choice. According to HashiCorp Vault documentation, periodic service tokens are renewable tokens that do not have a maximum Time-to-Live (TTL), meaning they can be renewed indefinitely by the client without requiring manual intervention or regeneration. This is ideal for applications needing continuous access to Vault over an extended period. The documentation states: "Periodic tokens have a TTL, but no max TTL. Periodic tokens may live for an infinite amount of time, so long as they are renewed within their TTL." This feature ensures uninterrupted operation for long-running processes, aligning perfectly with the scenario described. In contrast, a Service Token with Use Limit has a finite number of uses before expiration, making it unsuitable for continuous access without regeneration. A Batch Token is designed for short-lived, one-time operations or batch processes, not persistent access, as it lacks renewability and has a fixed TTL. An Orphan Token, while not tied to a parent token, does not inherently address the regeneration issue and is less secure for long-term use due to its lack of association with policies or identity. Thus, the periodic service token stands out as the best fit. Reference: HashiCorp Vault Documentation - Tokens: Periodic Tokens

Question 13

True or False? You can create and update Vault policies using the UI.

Accepted Answer

A

Explanation: Comprehensive and Detailed In-Depth The Vault UI supports policy management: A. True: "You can indeed create and update Vault policies within the UI." Incorrect Option: B. False: Incorrect; UI functionality exists. Reference: https://developer.hashicorp.com/vault/docs/concepts/policies

Question 14

The Vault encryption key is stored in Vault's backend storage.

Accepted Answer

B

Explanation: The statement is false. The Vault encryption key is not stored in Vault’s backend storage, but rather in Vault’s memory. The Vault encryption key is the key that is used to encrypt and decrypt the data that is stored in Vault’s backend storage, such as secrets, tokens, policies, etc. The Vault encryption key is derived from the master key, which is generated when Vault is initialized. The master key is split into unseal keys using Shamir’s secret sharing algorithm, and the unseal keys are distributed to trusted operators. To start Vault, a quorum of unseal keys is required to reconstruct the master key and derive the encryption key. The encryption key is then kept in memory and used to protect the data in Vault’s backend storage. The encryption key is never written to disk or exposed via the API. Reference: Seal/Unseal | Vault | HashiCorp Developer, Key Rotation | Vault | HashiCorp Developer

Question 15

True or False? To prepare for day-to-day operations, the root token should be safely saved outside of Vault in order to administer Vault.

Accepted Answer

B

Explanation: Comprehensive and Detailed in Depth The statement is False. Saving the root token outside of Vault for day-to-day operations is not a recommended practice and contradicts Vault’s security principles. The HashiCorp Vault documentation explicitly states: "For day-to-day operations, the root token should be revoked after configuring other auth methods, which admins and Vault clients will use." This is because the root token has unrestricted access to all Vault operations, posing a significant security risk if stored externally and used routinely. Instead, Vault encourages the use of less-privileged tokens or alternative authentication methods post-initialization. The documentation further elaborates under the "Root Tokens" section: "Root tokens are tokens with an infinite TTL that have the 'root' policy attached to them. Because of their power, it is strongly recommended that they be used only as necessary and then immediately revoked when no longer needed." Storing the root token outside Vault increases the risk of compromise, and Vault’s design assumes it is used sparingly—typically only during initial setup—and then replaced with more secure, limited-privilege mechanisms. Thus, the correct operational approach is to revoke the root token after setup, not save it externally, making B (False) the correct answer. Reference: HashiCorp Vault Documentation - Tokens: Root Tokens

Free HashiCorp HCVA0-003 Actual Exam Questions